-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 11 sep 2008, at 21.49, Dean Anderson wrote: > On Thu, 11 Sep 2008, Kurt Erik Lindqvist wrote: > >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> >> (CC trimmed) >> >> Having worked for a tier-1 provider and started two ISPs in the past, >> I am certain that BCP38 won't be universally deployed as that is >> operationally very hard and costly in larger networks. This >> effectively means that there will still be attack vectors open using >> recursive reflectors. > > BCP38 non-deployment means that there will be all kinds of spoofed > source IP address attacks, not just open recursor attacks. Not will be - is. > I have personal experience with some rooted systems, recently. The > botnet software that I've seen on these rooted systems doesn't include > programs for exploiting open recursors. I am not sure that your rooted systems are representative for the general case. I am not sure I would draw conclusions based on a few rooted systems either btw... > >> Attacks using open recursors are real. > > I don't dispute there have been open recursor attacks. However the > attacks appear to be contrived and solicited, lacking in number, > lacking in intensity, and lacking in actual damage. People working in the field seems to think otherwise. >> I wish I could share data or evidence, but as is usually the case in >> security operations, people are not very happy to share the details. > > Secret evidence that no one can share, and secret harms that no one > has > ever reported in the press or in security forums. Maybe we can have a > super-secret 'recursors-are-evil' document that is never published, > because the problem is so secret. At least the security forums that I have access to seems to indicate otherwise. They are not public or open though...... >> The best we have is what I assume is the data point from the largest >> commercial observer and regular study (Danny's survey) from the >> global >> operations forums. Dean has already decided that to disregard that >> data, so I have no idea what other public source of data he would >> trust. > > NANOG represents a tiny minority of the internet operations community, > just in North America. As has already been pointed out, ARIN has about > 3000 members, and NANOG represents a few hundred. NANOG has previously > deceived the public on similar matters. From what I remember you are the one that keep saying Danny based the report on some sort of Nanog data while Danny said the report was based on data from all operator forums. The world is larger than the US... The above said, as you obviously do not have access to the attack data collected at operators, I believe we should just agree to disagree. Best regards, - - kurtis - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) iEYEARECAAYFAkjKVMQACgkQAFdZ6xrc/t4SrgCfbnsyBZeDpQjlf0wG6sqk4ngz psIAnjf+ikV9B/71M8SYrOVL1tgaf3gl =gwlu -----END PGP SIGNATURE----- _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop